Intel Has a New Spectre and Meltdown Firmware Patch For You To Try Out

Mark Wilson writes: The Spectre/Meltdown debacle continues to rumble on, and now the chip manufacturer has announced the availability of a new 'microcode solution' to the vulnerability. The updated firmware applies to 6th, 7th and 8th Generation Intel Core devices, and the release sees the company crossing its fingers and hoping that everything works out this time.

This is Intel's second attempt at patching the vulnerability, and this time around both the company and its customers will be praying that the fix for Skylake, Kaby Lake and Coffee Lake chips actually does the job.

Tricky decision

[bestweasel]

I'm waiting for the point when the Intel patch does less damage than Spectre and Meltdown. Are we there yet?

It depends...

[gwolf]

Does losing up to ~30% of your chip's speed mean more or less damage to you, to your usual workload, to the threat model you feel as better applying to your person?

Re:

[Tough Love]

Now feeling a bit smug about my move back to AMD. Pure dumb luck that it doesn't get Spectred of course, but this is just one reason I like Zen more than Core arch.

Re:

[Tough Love]

Ah, I meant Meltdown of course, not Spectre.

Re:

[RavenLrD20k]

Pure inference here, though it may be a conclusion jump, but I think he meant that the dumb luck part of it is that he chose to go AMD for his latest build instead of Intel ahead of finding out about Meltdown.

Re:

[AmiMoJo]

It's academic anyway. You can't get the patch yourself, you have to wait for your motherboard manufacturer to release BIOS update.

Intel hasn't updated it's boards yet. Probably never will.

I'll let someone else go first, and await results

[Anonymous Coward]

Not keen to be a guinea pig

Re:another day another solution

[MightyMartian]

Nonsense. He would have inserted how his hosts file utility protects against Spectre and Meltdown. And you can totally trust a guy whose website for his tool still shows Windows NT 4.0 screenshots!

Re:

[Anonymous Coward]

APK is a myth anyway. His sightings are about as credible as pictures of the Loch Ness monster.

Prayer vs. Testing.

[geekmux]

"...this time around both the company and its customers will be praying that the fix for Skylake, Kaby Lake and Coffee Lake chips actually does the job."

I can understand the masses praying for a legitimate fix, but the company is praying this will work? Did they suddenly abandon the concept of testing prior to release?

I mean, it's not like Intel has to go digging to find a metric fuckton of affected hardware...

Re:Prayer vs. Testing.

[mindwhip]

My thoughts and prayers go out to Intel processors everywhere.

Re:

[tomxor]

Armen

Agile IS hope and prayer. Build random thing, hope

[raymorris]

Agile is the practice of building software without first figuring out what kind of software you need to build. It IS development by prayer - build something, anything, and then pray that it somehow related to the user's need.

Re:

[Hal_Porter]

Full speed ahead and let's pray the shields hold up!

Re: Prayer vs. Testing.

[DarthStrydre]

The Pentium MMX chips had the f00f bug.

Re:

[Aighearach]

That's only even one small team!

I don't think the free Mountain Dew in the breakroom is helping any, either. Nor does the Free Pizza Fridays.

I've spent some time in the Portland area, including near the Intel campus, and I have to say that if the team is entirely made up of H1B recipients then you'll get like, 3 times as many team members per metric ton compared to using domestic neckbeards.

Re:Prayer vs. Testing.

[Powys]

They are following the Google model of releasing everything as BETA so they have to provide no warranty, and push testing on the unwashed masses. Only after it is deemed successful will they remove the "BETA" moniker. Saves them the trouble.

Re:

[Anonymous Coward]

You are assuming that Intel does testing in the first place. We now know that they prefer to pray than test. "Our Father, who art in Silicon Valley, hallowed be thy chipsets. Thy breadboards come, thy NAND gates done, on XOR as it is in RAM. Give us this day our daily clock speed and lead us not into a Meltdown but deliver us from AMD. For thine is the multi-core, the multi-thread, and the L3 cache forever. Amen."

Re:

[sjames]

Perhaps they're an AMD shop?

Re:

[DeVilla]

Be reasonable. There is always a period between having something runnable and getting test results back. It sounds like this is just now going into test.

Who writes these taglines?

[Dwedit]

Who writes these taglines? This is clearly not a Meltdown patch at all, so it shouldn't be mentioned anywhere.

Re:

[Anonymous Coward]

Take it easy, brah, don't have a meltdown

Re:

[tomxor]

Lets face it, the FUD spread to blur Meltdown with Spectre has been won by Intel. It's up to the non-tech crowd to evolve to not take headlines at face value. It seems you can do no wrong in PR no matter how misleading... It's not possible to shout loudly enough against it, people have already moved onto the next headline.

Reminds me of an old TV show

[93 Escort Wagon]

There was a campy, over-the-top parody TV show called "Sledge Hammer" back in the 80s... although even if you're old enough, you may not remember it since it wasn't exactly a roaring success. The "protagonist" (using that term loosely) was a gun-happy cop whose solution to everything involved using his gun. If someone was stealing a candy bar, he might shoot the candy bar out of the perp's hands, for instance. If an old lady missed her bus, he might shoot out the tires of the bus.

Anyway, right now Intel reminds me of the show's intro. Most of it just featured glamour shots of Sledge Hammer's gun... but, at the end, Sledge Hammer says "Trust me, I know what I'm doing", and he shoots - but the bullet miscarries, resulting in a (virtual) bullet hole on your TV screen.

That's Intel, in a nutshell.

Re:Reminds me of an old TV show

[Archangel Michael]

https://www.youtube.com/watch?... [youtube.com]

Re:

[93 Escort Wagon]

Love it!

Another great show I managed to kill off... When I really like a show, you can pretty much guarantee it's not going to last. At least this one made it a couple seasons.

RIP Max Headroom, Twin Peaks, Andy Richter Controls the Universe, Firefly - and too many others to mention. Some of them you can't even get on DVD, the interest is so low...

Re:Reminds me of an old TV show

[Anonymous Coward]

Another great show I managed to kill off... When I really like a show, you can pretty much guarantee it's not going to last.

Could you do the rest of the world a favour and develop a keen interest in the Kardashians?

kthanksbye

Re:

[halivar]

Yes. It's called Star Trek DS9.

Cardassians/Kardashians - The difference

[knarfling]

Remember that there are two groups with similar names, the Cardassians and the Kardashians. One group is vaguely reptilian, have large misshapen heads and an overblown and undeserved sense of superiority. The other group, of course, invaded Bajor.

Re:

[sconeu]

I should have seen this joke coming, but never the less.... You owe me a new keyboard.

Re:

[Aighearach]

Max Headroom was certainly a great movie. But that TV show they made of it really sucked bad.

It was the only show on TV when I was a child where I would watch the awesome intro, and then change the channel when the show started.

Re:

[bankman]

Another great show I managed to kill off... When I really like a show, you can pretty much guarantee it's not going to last.

You mean like I did with Bakersfield PD [youtube.com]? It's depressing when you realize that you're the jinx of TV shows. :-(

Re:

[grasshoppa]

Ah memories. I loved my early 80s trash TV...and it was trash. Holy shit was it trash.

Still loved it.

Re:

[nwf]

Ha, I used to watch that. It was entertaining for the time. Too bad it ended on that cliffhanger.

Re:

[freeze128]

There was an episode where he was cybernetically augmented like robocop, and the title of the episode was "Hammeroid". :)

Re: Reminds me of an old TV show

[DarthStrydre]

It canâ€(TM)t be an Intel sledgehammer. AMD already used Sledgehammer as a trademark/code name for its K8 line of chips, the first that used the amd64 architecture.

Re:

[sconeu]

Ya gotta admit, AMD had much cooler names for their CPUs than Intel did.

Re:

[yorgasor]

Ha, one of my favorite shows from the 80s! Those were good times. I have the collection, and I'll still break it out every so often.

Re:

[antdude]

I loved that 80s series as a callow ant. :D

Re:

[Hal_Porter]

Good times man. Good times.

https://www.youtube.com/watch?v=XGoU7urNTbI [youtube.com]

Spectre only

[PhrostyMcByte]

You can't fix Meltdown with a CPU patch.

Re: Spectre only

[Anonymous Coward]

You can fix it with a flat-head screwdriver by prying the damn thing off your motherboard.

-Homer

Re:

[suutar]

why not? My understanding was that meltdown was based on predictive branching, in which case if you disable predictive branching it doesn't happen.

Granted, that's a pretty heavyhanded fix, but there may be other ways that are still down to changing the cpu microcode...

Re:

[Anonymous Coward]

I think you have confused meltdown and spectre.

Spectre impacts everything and is basically not something that can really go away. It will be haunting us for a long time, which is why they called it "Spectre." The upside is it's extremely difficult to exploit in a meaningful way.

Meltdown is actually fixable since it's a bounds check that intel doesn't enforce when they are supposed to. The microcode and firmware can both be fixed to resolve that issue.

Re:

[thegarbz]

Heavy handed is why not. A patch that literally makes your CPU perform like something from the 90s is not a patch which 'works'.

Re:

[amorsen]

It's a bit funny that this post is 5 Informative. It is exactly the wrong way around. Meltdown can be fixed with a patch. It involves speculating across a hardware security barrier, which is something that microcode has a chance to detect.

Spectre, on the other hand, does not involve speculating into inaccessible memory. It just involves speculating into memory that the program (typically a jit compiler) is carefully avoiding touching.

Re:

[Anonymous Coward]

No, GP had it right - Meltdown can't be fixed with a CPU patch, because the access-granting flaw isn't in the microcode. All the CPU patches are for Spectre variant 2.

Re:

[PhrostyMcByte]

You've misunderstood the problem. The patchability of this issue has been public knowledge for quite a while, so there's no excuse for your flippant ignorance on it. The article even specifically calls out Spectre: you'll see only the summary incorrectly mentions Meltdown.

Meltdown is only patchable via software at the OS level. This is the entire reason operating systems put in these huge page table isolation pages. The CPU fix will come years from now.

Spectre variant 2 is patchable via software per-app via

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[sinij]

Let me know how it goes, everyone! I'll see you all in therapy...

The meeting is in the next room to the "Patch Tuesday Support Group", down the hall from "Dependency Hell Anonymous", right?

Re:

[jwhyche]

But I just got all my shit working again....

Why do they need to rely on hope?

[hawguy]

the release sees the company crossing its fingers and hoping that everything works out this time

Intel has relationships with pretty much every computer OEM and cloud computing provider -- why do they need to cross their fingers and hope for the best when they can get their partners (who are just as motivated as Intel to have a usable solution) involved in large-scale tests?

Re:

[BlueStrat]

Intel has relationships with pretty much every computer OEM and cloud computing provider -- why do they need to cross their fingers and hope for the best when they can get their partners (who are just as motivated as Intel to have a usable solution) involved in large-scale tests?

One possible answer is because those others might just discover other security vulnerabilities in the silicon, possibly either unintentional in nature and/or some that were requested/ordered to be left in or deliberately inserted by US TLAs.

Strat

They've only had since June

[bill_mcgonigle]

Hey, Google only notified them in June and maybe they were going to get around to working on it after the holidays. And there are two new variants out this week that aren't considered, so be ready for the next round in a month or so as well.

You can't expect Intel to get these things done immediately, people! (the class action suits are going to love that they didn't fix it with six months' warning).

Re:

[cwsumner]

Hey, Google only notified them in June and maybe they were going to get around to working on it after the holidays. And there are two new variants out this week that aren't considered, so be ready for the next round in a month or so as well.

You can't expect Intel to get these things done immediately, people! (the class action suits are going to love that they didn't fix it with six months' warning).

This sounds very much like the Navy-owned submarine torbedo development facility, at the beginning of WWII. They sounded just the same and showed the same organizational problems, when the torbedoes that the submariners used failed to explode, over and over. Like 8 fired and one worked!

They were later found to have half a dozen serious bugs and defects, which had never been tested. Estimated to have caused a number of our ships to be destroyed and over 800 people to be killed!

And not all computers just run

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[HiThere]

For Metldown, the quality of the last patch they offered, which was so bad that company after company said "don't install that" (though, AFAIK, only Linus added "garbage") seems to indicate that they didn't start development of the patch until after public notice.

Spectre is a different problem, but Meltdown ought to be fixable, if only by disabling the running speculative execution. (Whether they can do better than that I wouldn't guess.) OTOH, that approach should also solve Spectre...but nobody wants to

Re:

[HiThere]

And I'm no expert, so I can't give you the details you want. But you could check the Linux Kernel developers list where it was discussed. Abusively. Linus did not think highly of the patch at all. Other companies just said "don't install that" and said things like "it won't work with our equipment". If any of them gave details, I didn't hear them. (OTOH, I only hear of this on Slashdot and Soylent News. As I said, that's not where I'm an expert.)

Q3 2015

[darkain]

Skylake launched Q3 2015. So Intel is pushing the patch for barely more than 2 years worth of product. What about the millions (billions?) of systems out there that were not replaced in the past two years? Are they going the same way of Android in the "well fuck, sucks to be you!" mentality of security because the device isn't the absolute latest and greatest? I'm thinking they only supported back that far is because there are Xeon-D CPUs that launched Q1 2018 with Skylake architecture, and Intel is all over that Xeon-D right now (this is what Facebook is now using)

Re:

[KingMotley]

My guess is that they will go back further than they need to in order to cover all their products under warranty. Anything beyond that is them just being nice.

Re: Q3 2015

[Anonymous Coward]

Well, my next CPUs will be AMDs, for the foreseeable future. Fuck Intel.

Re:

[AHuxley]

Re: systems out there that were not replaced in the past two years?
Buy a new CPU soon that will be tested before its approved for the production line.

Try out?

[PPH]

Don't we have a chimp or a rabbit that we could test this stuff on first?

Re:

[wonkey_monkey]

Always mount a scratch monkey [edp.org].

Re:Try out?

[jwhyche]

Don't we have a chimp or a rabbit that we could test this stuff on first?

No, but we have a bunch of dumb ass naked apes.

Re:

[Aighearach]

Sure, trim the neckbeard back a bit and call it a "chimp," nobody will notice.

Also, I think that rabbit was an ewok yesterday, so be careful.

Are the other manufacturers onboard yet?

[grilled-cheese]

So have we finally put to bed the finger pointing going on between Intel, Dell, and Redhat yet?

Not available on intel download site

[Cronq]

Well

https://downloadcenter.intel.c... [intel.com]

finds only ancient, 2017 microcode version :-(

Now with less reboot!

[Anonymous Coward]

But more crashes!

Still shipping vulnerable processors?

[NewtonsLaw]

Is Intel still shipping processors with these vulnerabilities?

If so, you have to ask "what the hell are they thinking"?

Would Ford or Chevy be allowed to keep selling a vehicle which was known to have defects that made it unroadworthy even before you drove it off the showroom floor?

Re:

[NewtonsLaw]

"Moreover, there is a fix that the end user can apply as he sees fit."

Really? I thought it was still in beta-test, hence this discussion.

Wrong title.

[Keith_Beef]

Should have been:

Intel Has a New Spectre and Meltdown Firmware Patch And Wants You To Test It Because Intel Couldn't Be Arsed To Do Its Own Testing.

Re:

[Anonymous Coward]

Thank you, official NSA statement.